Michael Tokarev
2022-Nov-21 07:46 UTC
[Samba] samba crashes windows explorer (while trying to view file permissions)
21.11.2022 10:25, Rowland Penny via samba wrote: ..> There are numerous problems with using a Samba AD DC as a fileserver, one of which is that it uses a totally different idmapping system than any other > Samba machine. This means that you cannot use any of the parameters that you would use on a Unix domain member. I have seen users attempt to use the > 'idmap config' lines, but they usually have no effect, I cannot remember the use of 'winbind nss info' before, but again, the winbind? lines mostly > have no effect.This has been repeated a few times, - do not use - but there's no conclusive reason given (to me it looks more like "there are bugs in samba which prevent doing this" - it's a good reason already but it's not given).> I suggest you read this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_.28Optional.29I've read this many times in recent days and before as well. Here, I've a domain which is supposed to go into production, replacing an old NT4-style domain. There's just one server in that office. I created a virtual machine for new samba, set up the DC on it, and I need to verify if it works. The most natural thing to do - to me anyway, since I'm not concerned yet about all the disadvantages listed on that WIKI page, - for now it is just a test - when there are just two machines on the domain, the Samba DC and a Win10 client - is to try to access a file share from win on the DC. Because if I install a new VM with a file server on it, I can screw samba on it when joining it to this new domain already, so if win doesn't work with this other file server, it might be due to its own configuration issue. It is the most natural thing to do to verify if win works with the DC first, and install new servers only after it's done. In other words, it's quite natural to do one thing after another, not all together at once. Besides, for a new file server, I'll need to install yet another VM just for testing, which is a clear and obvious disadvantage. I'm not arguing here. I'm outlining the "why". And it does not look like I'm alone there, -- it SEEMS like a very natural thing to use the DC as a fileserver despite all the "disadvantages" listed. Because even just one reason: a need to install a VM - might be enough to make this idea (running a DC in a VM) to be rejected entirely. (It is not a prob for me, but even for me it required quite some prior research and especially completely changing network configuration on a remote server without remote console access - this *is* not easy). For this reason, maybe it's a good idea to review the issues which do pop up when one is trying to use Samba DC as a file server, and document the list, maybe fix some of the things in there (like the explorer crashing - it is well-known bug, https://bugzilla.samba.org/show_bug.cgi?id=14213 ). With this understanding it will be much easier for anyone to see which actual problems are expected and whenever he is able to deal with them, and if it really is worth to install a VM. /mjt
Kees van Vloten
2022-Nov-21 08:41 UTC
[Samba] samba crashes windows explorer (while trying to view file permissions)
It is not so easy to do the parameter settings right. That is why the smb.conf parameter reviews by Rowland are so valueable. I have been struggling a few times because 'man smb.conf' contains a lot of settings, one can really get lost. The man-page is very clear on what to put in global and what to put per share. But there is some room for improvement to indicate what is meant for fileservers, what for NT4-domain-controllers, what for AD-DCs, for winbind, and so on. I guess it would prevent a lot of misconfigured machines and questions here. I do understand that the main reason something like this has not been done is the time investment, and time that is also lacking on my side. But then again, it is still worth mentioned. - Kees On 21-11-2022 08:46, Michael Tokarev via samba wrote:> 21.11.2022 10:25, Rowland Penny via samba wrote: > .. >> There are numerous problems with using a Samba AD DC as a fileserver, >> one of which is that it uses a totally different idmapping system >> than any other Samba machine. This means that you cannot use any of >> the parameters that you would use on a Unix domain member. I have >> seen users attempt to use the 'idmap config' lines, but they usually >> have no effect, I cannot remember the use of 'winbind nss info' >> before, but again, the winbind? lines mostly have no effect. > > This has been repeated a few times, - do not use - but there's no > conclusive reason > given (to me it looks more like "there are bugs in samba which prevent > doing this" - > it's a good reason already but it's not given). > >> I suggest you read this: >> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_.28Optional.29 >> > > I've read this many times in recent days and before as well. > > Here, I've a domain which is supposed to go into production, > replacing an old NT4-style domain.? There's just one server > in that office. I created a virtual machine for new samba, > set up the DC on it, and I need to verify if it works.? The > most natural thing to do - to me anyway, since I'm not concerned > yet about all the disadvantages listed on that WIKI page, - > for now it is just a test - when there are just two machines on > the domain, the Samba DC and a Win10 client - is to try to access > a file share from win on the DC.? Because if I install a new > VM with a file server on it, I can screw samba on it when > joining it to this new domain already, so if win doesn't > work with this other file server, it might be due to its own > configuration issue. It is the most natural thing to do to > verify if win works with the DC first, and install new servers > only after it's done.? In other words, it's quite natural to > do one thing after another, not all together at once. > > Besides, for a new file server, I'll need to install yet > another VM just for testing, which is a clear and obvious > disadvantage. > > I'm not arguing here.? I'm outlining the "why".? And it does > not look like I'm alone there, -- it SEEMS like a very natural > thing to use the DC as a fileserver despite all the "disadvantages" > listed.? Because even just one reason: a need to install a VM - > might be enough to make this idea (running a DC in a VM) to be > rejected entirely.? (It is not a prob for me, but even for me > it required quite some prior research and especially completely > changing network configuration on a remote server without remote > console access - this *is* not easy). > > For this reason, maybe it's a good idea to review the issues which > do pop up when one is trying to use Samba DC as a file server, and > document the list, maybe fix some of the things in there (like the > explorer crashing - it is well-known bug, > https://bugzilla.samba.org/show_bug.cgi?id=14213 ).? With this > understanding > it will be much easier for anyone to see which actual problems are > expected and whenever he is able to deal with them, and if it really > is worth to install a VM. > > /mjt >
Jeremy Allison
2022-Nov-21 18:06 UTC
[Samba] samba crashes windows explorer (while trying to view file permissions)
On Mon, Nov 21, 2022 at 10:46:33AM +0300, Michael Tokarev via samba wrote:> >For this reason, maybe it's a good idea to review the issues which >do pop up when one is trying to use Samba DC as a file server, and >document the list, maybe fix some of the things in there (like the >explorer crashing - it is well-known bug, >https://bugzilla.samba.org/show_bug.cgi?id=14213 ). With this understanding >it will be much easier for anyone to see which actual problems are >expected and whenever he is able to deal with them, and if it really >is worth to install a VM.So Metze added a patch to this bug that makes Samba behave like Windows. Does that fix the issue ? We should probably also add a regression test that uses rpcclient to request the SID lists that causes Windows to crash when Samba replies, and make sure that we keep returning what Windows returns in this specific case instead.